Developer outlines possible attack that could trick iOS users into giving their Apple ID credentials away

Posted by:
Date: Wednesday, October 11th, 2017, 05:33
Category: Developer, iOS, News, security, Software

This might be worth watching out for.

Per developer Felix Krause, a popup technique could be used to easily trick someone into handing over their Apple ID and password on their iOS device.

The developer noted that it is incredibly easy for an iOS app maker to recreate the Apple ID password prompt. From there, the app could send that popup and subsequently log the Apple ID and password. It takes less than 30 lines of code and could seemingly be dropped in any legitimate iOS app and sneak past App Store review teams.


Krause offered the following comments:

Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.

The issue has existed on desktop browsers for years, wherein questionable websites could send fake popups that are nearly identical to normal system notifications. Krause has filed the issue with Apple and explains that it could be fixed by Apple not allowing passwords to be entered in popups, but rather only in the Settings app/App Store.

Krause offered the following steps as a means for users to protect themselves from this issue:

Hit the home button, and see if the app quits:

If it closes the app, and with it the dialog, then this was a phishing attack

If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.

Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually

If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Via 9to5Mac and Felix Krause’s blog

Recent Posts

Leave a Reply